Full Report
Study finds built-in browsers across gadgets often ship years out of date Web browsers for desktop and mobile devices tend to receive regular security updates, but that often isn't the case for those that reside within game consoles, televisions, e-readers, cars, and other devices. These outdated, embedded browsers can leave you open to phishing and other security vulnerabilities.…
Analysis Summary
# Vulnerability: Widespread Outdated Embedded Web Browsers Leading to Major Security Risks
## CVE Details
- CVE ID: Not specified in the article. The research focuses on general findings of outdated software rather than specific, enumerated CVEs tied to all affected products.
- CVSS Score: Not specified in the article for the general issue.
- CWE: Potentially related to CWE-1104 (Use of Insufficiently Updated Software) or specific browser component flaws (e.g., XSS, CSRF, Directory Traversal from the underlying outdated engine).
## Affected Systems
- Products: Embedded browsers found in game consoles, televisions (Smart TVs), e-readers, vehicles (cars), and potentially software platforms like Steam, Ubisoft Connect, and AMD Adrenalin.
- Versions: Varies significantly. Examples include:
- Boox Note Air 3 (shipped Jan 2024) using NeoBrowser based on **Chromium 85** (Aug 2020).
- Ubisoft Connect using a browser based on **Chromium 109** (Jan 2023).
- AMD Adrenalin using a browser based on **Chromium 112** (Apr 2023).
- Some products shipped with browsers **over three years obsolete** at the time of release.
- Configurations: Devices using development frameworks like Electron where browser updates are coupled with entire framework updates, leading to neglect.
## Vulnerability Description
Embedded web browsers across various connected consumer devices and platforms are often shipped severely outdated, sometimes incorporating known, unpatched security vulnerabilities dating back several years. This neglect leaves users susceptible to traditional web-based attacks, including phishing. Specific observed issues include:
1. **Phishing Risk:** In older Steam versions, researchers could spoof the origin of alert boxes to appear legitimate due to an open redirect vulnerability.
2. **Privilege Escalation Risk:** Ubisoft Connect's browser was found configured with the `--no-sandbox` flag, increasing the risk of privilege escalation if a browser vulnerability were exploited.
3. **Address Bar Spoofing:** AMD Adrenalin's Chromium 112-based browser exhibited address bar spoofing vulnerabilities.
## Exploitation
- Status: Specific CVEs were not reproduced due to environment limitations, but **PoC exists for phishing simulation** (alert box spoofing on Steam) and **configuration review identified high-risk settings** (`--no-sandbox`).
- Complexity: Varies. Phishing lure creation (alert spoofing) appears **Low** in the affected (but older) application contexts tested. Exploiting underlying engine flaws would depend on the specific unpatched CVEs present.
- Attack Vector: Primarily **Network** (for exploiting web-facing vulnerabilities used in phishing/exploit delivery) or **Local** (if exploitation of a sandboxing failure leads to host takeover).
## Impact
- Confidentiality: **High** (If outdated browser engine allows remote code execution or information disclosure).
- Integrity: **High** (Risk of system compromise via privilege escalation or successful phishing leading to credential theft).
- Availability: **Medium** (Successful RCE could lead to service denial or device instability).
## Remediation
### Patches
- No universal patch version is provided, as this affects numerous vendors and products. Vendors are expected to update their embedded browser components (often based on Chromium forks) to modern, patched versions.
- **AMD:** Acknowledged the address bar spoofing issue and was reportedly working on a fix at the time of the research presentation.
- General: Devices must receive updates addressing the specific underlying CVEs in the outdated browser engine versions (e.g., Chromium 85, 109, 112).
### Workarounds
- **Avoid Using Embedded Browsers:** Users should refrain from browsing potentially malicious or untrusted websites using the integrated browser on TVs, e-readers, or vehicles.
- **Configuration Check (Vendors/Power Users):** For platforms like AMD Adrenalin or Ubisoft Connect, verify that sandbox protections (`--no-sandbox` flag) have been removed or properly configured by the vendor.
- **External Browsers:** Where possible, use sandboxed, actively updated standalone desktop/mobile browsers for sensitive activities.
## Detection
- Indicators of Compromise: Inconclusive without knowing specific underlying CVEs. Potential indicators might include unexpected pop-ups, unexpected application crashes on web links, or network activity inconsistent with expected device use.
- Detection methods and tools: Use the DistriNet **CheckEngine** framework (if available and adaptable) to periodically audit the embedded browser version against known current public releases. System administrators or security teams must maintain an inventory of platform/firmware versions and cross-reference them against known browser engine lifecycle documentation.
## References
- Vendor advisories: None specific, but AMD acknowledged an issue.
- Relevant links - defanged:
- Research Paper: hxxps://www.usenix.org/system/files/soups2025-franken.pdf
- CheckEngine Framework: hxxps://github.com/DistriNet/CheckEngine
- KU Leuven Summary: hxxps://nieuws.kuleuven.be/en/content/2025/outdated-embedded-web-browsers-create-security-risks
- Steam Open Redirect Reference: hxxps://medium.com/@alcatech-security/how-i-find-open-redirect-and-rfd-on-steam-domain-7f8b27457e5a
- EU Cyber Resilience Act: hxxps://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act